This detection rule identifies potential PHP web shells, which are malicious scripts leveraged by attackers to gain and maintain unauthorized access to web applications. The rule specifically focuses on PHP functions known for their capability to execute shell commands, including exec(), system(), and others. Using a combination of HTTP request logging and regex pattern matching, the rule scans web application firewall logs to find characteristic patterns indicating the presence of these suspicious functions within the queries, which could suggest attempts to exploit vulnerable web applications. If any of these command-execution functions are detected within HTTP GET or POST requests returning successful responses (HTTP status 200 or similar), the potential presence of a web shell is noted. This detection aligns with behaviors associated with threat actors such as Teal Kurma, known for operating under various aliases (e.g., Sea Turtle, Marbled Dust).